Security Managers - A Practical Approach

Transcription

1 Managing e-health data: Security management in practice Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

2 Structure of the presentation Practical approach towards ISMS: plan, do, act, check How to start Scope of the institution People and committees concerned Documents E-healtht: security managment 2

3 Practical approach: plan 1- Determine the scope (department, application, institution?) (step 1) 2- Determine the information/privacy policy (step 2) 3- Comprehensive risk analysis (steps 3, 4, 5) 4- Plan risk treatment (step 6) 5- Select management goals and controls (step 7) 6- Prepare statement of applicability (step 8) 7- Approve residual risk allowing ISMS to be carried out E-healtht: security managment 3

4 Practical approach: Do 1- Perform risk treatment, with resources allocated and controls (steps 1, 2, 3) 2- Educating and training (step 4) 3- Manage operations and business resources (steps 5, 6) 4- Deal with security incidents (step 7) E-healtht: security managment 4

5 Practical approach: Act 1- Carry out improvement measures (step 1) 2- Communicate the actions that have been taken (step 2) E-healtht: security managment 5

6 Practical approach: Check 1- Monitor procedures and controls (step 1) 2- Review ISMS regularly (step 2) 3- Management review (step 3) E-healtht: security managment 6

7 Plan: 1. Scope of the institution Delimit the boundaries of data security management Department Hospital Single application: for example medical record system Including or not including physical access RESULTING DOCUMENT: ISMS scope E-healtht: security managment 7

8 Plan: 2. Determine the information security/privacy policy Information/privacy policy of the institution: Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. General policy statements concerning how data is managed by the institution PLUS: a) the need for health information security; b) the goals of health information security; c) compliance scope d) legislative, regulatory, and contractual requirements, including those for the protection of personal health information and the legal and ethical responsibilities of health professionals to protect this information; e) arrangements for notification of information security incidents, including a channel for raising concerns regarding confidentiality, without fear of blame or recrimination. f) the breadth of health information; g) the rights and ethical responsibilities of staff, as agreed in law, and as accepted by members of professional bodies; RESULTING DOCUMENT: ISMS Information security policy paper E-healtht: security managment 8

9 Plan: 2. Determine the information security/privacy policy h) the rights of subjects of care, where applicable, to privacy and to access to their records; i) the obligations of clinicians with respect to obtaining informational consent from subjects of care and maintaining the confidentiality of personal health information; j) the legitimate needs of clinicians and health organizations to be able to overcome normal security protocols when healthcare priorities, often linked to the incapacity of certain subjects of care to express their preferences, necessitate such overrides; also the procedures to be employed to achieve this; k) the obligations of the respective health organizations, and of subjects of care, where healthcare is delivered on a shared care or extended care basis; l) the protocols and procedures to be applied to the sharing of information for the purpose of research and clinical trials m) the arrangements for, and authority limits of, temporary staff, such as locums, students and on-call staff; n) the arrangements for, and limitations placed upon, access to personal health information by volunteers and support staff such as clergy and charity personnel. RESULTING DOCUMENT: ISMS information security policy paper E-healtht: security managment 9

10 Plan: 3. Risk assessment 1. Organize the risk management process: who will do what? Committees, individuals? Consultants? 2. Identify the risks 3. Evaluate risks impact 4. Evaluate risk importance (establish a hierarchy) 5. select solutions RESULTING DOCUMENT: ISMS Risk assessment document E-healtht: security managment 10

11 Plan: 3. Risk assessment: points of attention 1. Information that needs protection: Personal health information Pseudonymized data derived from personal health data Statistical and research data clinical/medical knowledge Data on health professionals (staff/volunteers) Information related to public health surveillance Audit trail data System security data, including access control data and all system configuration data E-healtht: security managment 11

12 Plan: 3. Risk assessment: points of attention Information that needs protection: Personal health information Pseudonymized data derived from personal health data Statistical and research data clinical/medical knowledge Data on health professionals (staff/volunteers) Information related to public health surveillance Audit trail data System security data, including access control data and all system configuration data E-healtht: security managment 12

13 Plan: 4. Risk treatment Goals: Diminish (or eliminate) the risks to assets by the threats that were defined RESULTING DOCUMENT: ISMS Risk treatment document E-healtht: security managment 13

14 Plan: 5. Management goals Management goals: For example: Introduce new security measures: Physical protection: steel doors, secure locks within 1 week Physical access logging within 1 month Firewall between local and external network within 2 months Resources: $2500 HR: 3 man-months RESULTING DOCUMENT: ISMS Management goals document E-healtht: security managment 14

15 Plan: 6. Statement of applicability Statement of applicability: Involvement: technical department: physical access ICT department External consultants RESULTING DOCUMENT: ISMS Statement of applicability document E-healtht: security managment 15

16 Plan: 7. Residual risk What is the residual risk: Although the countermeasures were taken, there are residual risks: - break-in via metal door - break-in via the network's firewall - personnel mischief RESULTING DOCUMENT: ISMS Residual risk document E-healtht: security managment 16

17 Assignment Set up an ISMS for your institution (at least the plan part): Department Ministry Company Hospital Making use of the ISO methodology and resulting in the set of documents as required by the standard. The set of documents will be bundled as a single report, with the paragraphs corresponding to the ISO-ISMS documents as specified step by step above. Unless specific references are used, no need for references but methods used to gather information and to come to conclusions in the different parts of the report MUST be specified step by step! E-healtht: security managment 17

18 References and more information Introduction to ISO 2002 and friends, Martin Dolphin ISO standards 27001, 27002, and Anne Lupfer, Gestion des risques et sécurité de l'information, Eyrolles, 2010, ISBN: E-healtht: security managment 18

19 Thank you for your attention! Any questions? Medical Informatics VUB, KIST